Commit cd40c31e authored by Ronald S. Bultje's avatar Ronald S. Bultje

matroska: don't overwrite string values until read/alloc was succesful.

This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent 03ca0a5b
...@@ -639,16 +639,19 @@ static int ebml_read_float(AVIOContext *pb, int size, double *num) ...@@ -639,16 +639,19 @@ static int ebml_read_float(AVIOContext *pb, int size, double *num)
*/ */
static int ebml_read_ascii(AVIOContext *pb, int size, char **str) static int ebml_read_ascii(AVIOContext *pb, int size, char **str)
{ {
av_free(*str); char *res;
/* EBML strings are usually not 0-terminated, so we allocate one /* EBML strings are usually not 0-terminated, so we allocate one
* byte more, read the string and NULL-terminate it ourselves. */ * byte more, read the string and NULL-terminate it ourselves. */
if (!(*str = av_malloc(size + 1))) if (!(res = av_malloc(size + 1)))
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
if (avio_read(pb, (uint8_t *) *str, size) != size) { if (avio_read(pb, (uint8_t *) res, size) != size) {
av_freep(str); av_free(res);
return AVERROR(EIO); return AVERROR(EIO);
} }
(*str)[size] = '\0'; (res)[size] = '\0';
av_free(*str);
*str = res;
return 0; return 0;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment